A DRM client on a device establishes trust with a DRM server for playback of digital content. The client executes in a secure execution environment, and the process includes (1) securely loading loader code from secure programmable memory and verifying it using a digital signature scheme and first key securely stored in the device; (2) by the verified loader code, loading DRM client code from the memory and verifying it using a digital signature scheme and second key included in the loader code; (3) by the verified DRM client code (a) obtaining a domain key from the memory; (b) encrypting the domain key with a device identifier using a DRM system key included in the DRM client code; and (c) sending the encrypted domain key and device identifier to the DRM server, whereby the device becomes registered to receive content licenses via secure communications encrypted using the domain key.
|
1. A method by which a signed client certificate is created for use by a client device in establishing mutually authenticated secure communications with a backend server of an application service, the communications to be secured by a client private/public key pair, the backend server storing a validation server public key used by the backend server to confirm a certificate signature of the signed client certificate, comprising:
at the client device, generating a first message and sending it to a device validation server, the generating including (1) generating the client private/public key pair using a random number generator, (2) generating a certificate signing request including the client public key and a certificate hash value; (3) encrypting the certificate signing request together with a device-specific authentication token and a locator value for the backend server, the encrypting producing encrypted values and performed using a domain token shared among a plurality of client devices, and (4) forming the first message to include the encrypted values and a hash of the domain token;
at the device validation server, (1) receiving the first message and confirming the hash of the domain token, (2) decrypting the encrypted values using the domain token to obtain decrypted values including the certificate signing request, the device-specific authentication token and the locator value, (3) generating the certificate signature from the decrypted values using a digital signature process and a validation server private key, and (4) securely sending the certificate signature to the client device; and
at the client device, forming the signed client certificate including the client public key and the certificate signature received from the device validation server.
|
This application is a continuation of U.S. application Ser. No. 13/708,332 filed on Dec. 7, 2012 which claims priority to U.S. Application No. 61/568,032 filed on Dec. 7, 2011. The disclosures of which are incorporated herein by reference.
A procedure is described for establishing trust between a computerized device (also called a “client device”) and a server system for digital rights management (DRM) (also referred to as a DRM server or “backend”). The technique is applicable to devices such as mobile smartphones or tablets (more generally mobile devices) as well as fixed devices such as set top boxes. In one embodiment the device may utilize a specialized processing chipset, referred to as “system-on-chip” or SoC, that incorporates several hardware components such as processor(s), WiFi and network interface controller, content decryption and decoding, etc.
The techniques herein utilize a processing arrangement including a secure execution environment such as the arrangement known by the name TrustZone. Such an arrangement generally requires some level of specific hardware support in any physical implementation. The arrangement includes two execution environments, one being the secure environment and the other referred to as the non-secure or “normal” environment. With the exception of a secure communication channel, the normal environment does not have access to resources of the secure environment, but the secure environment has full access to all resources including secure as well as non-secure resources.
The DRM client utilizes the backend to help bootstrap a chain of trust to the backend, so that DRM licenses can be served to enable protected content to be played. Key aspects of establishing the root of trust of the device and the application to the backend are described.
The foregoing and other objects, features and advantages will be apparent from the following description of particular embodiments of the invention, as illustrated in the accompanying drawings in which like reference characters refer to the same parts throughout the different views. The drawings are not necessarily to scale, emphasis instead being placed upon illustrating the principles of various embodiments of the invention.
The components in the secure environment 30 are responsible for establishing a root of trust with the backend 10 (
The non-secure DRM client 42 is mainly an interface (via the API component 40) between the content player 38 and the secure DRM client 50. In particular, the non-secure DRM client 42 only sends requests to the latter to register the device 12, obtain a rights object for a particular media object, and enable decryption and playing of the media object. The DRM Agent 48 is an API layer to access the backend servers 10.
In one embodiment, the secure environment 30 may employ components of the so-called TrustZone family, including the secure processor 20-S realized according to the ARM architecture, as well as the secure kernel 44 and secure file system 46 which are specially tailored for security-related uses. Establishing a root of trust is based on security features offered by the hardware (SOC chipset) that is embedded in a circuit board used to build a device (e.g., mobile phone handset). While the chipset manufacturer provides the hardware, the device manufacturer (OEM) loads firmware (code) such as the DRM client and DRM agent 48.
The initial step is device authentication 60 in which it is established that the device 12 is an authentic device running an unmodified version of the device O/S 36, the DRM Client (portions 42 and 44) as well as DRM agent 50. The approach used is to begin with a secure boot process involving two levels of boot using a signature scheme such as RSA-PSS (Probabilistic Signature Scheme) to verify the authenticity of the signatures of boot loaders and the DRM client. The DRM client is distributed as firmware and resides in flash memory of the device 12, not ROM. It is included in the second level boot, and thus it is necessary to authenticate the DRM client code by a process as described below. The device manufacturer uses a private key PrK to generate a signature of the firmware in the factory. This signature is verified at each boot. The DRM client is verified as part of the firmware. The device 12 also contains the manufacturer's public key PuK to verify that the binary has not been modified. This verification code is stored in SoC ROM. The PuK must not be modifiable even if it is not confidential.
Next, this root of trust is extended to include the backend 10. This involves securely sending a secret back to the backend 10. At this point, the backend 16 has verified the authenticity of the device 12 and indirectly the authenticity of the client software. An application client that authenticates to its application backend server can subsequently use the DRM agent 48 to request a media play. The DRM agent 48 uses client-certificates for mutual authentication when talking to the backend 10 for verifying trust and obtaining rights object containing licenses pertaining to the specific device and the media selected. A content key is securely conveyed to the hardware player and the media is decrypted and rendered on the screen of the device 12. This workflow is shown in
Establishing a root of trust begins with a secure boot procedure. This is implemented using the secure execution environment 30 (e.g., ARM TrustZone) in addition to some hardware mechanisms that may be manufacturer-specific.
For the secure boot process, in one embodiment a manufacturer-specific private key PvK is used to generate a signature of the firmware at its creation point. The DRM client may be deployed in this manner. The chain of trust begins with one component—SoC ROM. Ideally, the corresponding public key PuK is burnt into the ROM and used to authenticate the first bootloader. However, putting the PuK on the SoC ROM means it is the same for the class of devices. To prevent class-hacks, OTP (One Time Programmable) poly-silicon fuses may be used to store unique values in each SoC during device manufacture. For example, a 256-bit hash of a 2,048-bit PuK can be stored. Thus, the PuK is individualized to some collection of devices 12 and its verification is via the hash burned into the OTP fuses. The PuK itself can be loaded from flash memory. The flash would contain all PuKs that may be usable, and the specific one in use is identified by the hash.
For the code authentication, the following steps are taken at boot time (all operations in the secure environment 30):
Note that all communication between the secure and non-secure environments 30, 32 are via a secure API, which in the case of TrustZone is referred to as TZ-API. This communication is necessary to allow the content player 38 to communicate with the DRM agent 48.
Thus far, it has been verified that the boot loaders and the DRM client code are genuine. It is still necessary to perform device-level verification to establish for the backend 10 that the device 12 is a genuine device running a genuine O/S 36. Device authentication includes communicating certain sensitive information to the backend 10 in a secure manner. This step applies to each backend. Thus, it is required to register the device 12 for each different app 38. The device 12 is validated through a secret value by a device validation service 10-DV. The registration process is initiated by the app 38 calling a “register” API with 2 arguments: a URL pointing to the app's service backend 10-AB, and an opaque user authentication token that the app has obtained from the app's subscriber management server 10-SN (typically after a user authentication step done in the app). This triggers the authentication steps described below.
The DT may be generated in a secure manner in an entirely separate process, then it is stored in the validation server 10-DV. It is desirable to partition the devices 12 into sub-groups with different DTs in order to contain any damage from a breach.
The client SSL certificate signing request is generated based on a device-generated local property called “Device ID” (2048 bits long) that is stored in the secure file system 48. The Device ID is a confidential way of individualizing this device and is used as the client's private key CPrK. The Device ID is constructed at run time in the device 12 from a hardware-based random source and created only when the device registration is run. The combination of the individualized manufacturer PuK and the Device ID has a high degree of uniqueness.
The device 12 is validated in the beginning when it first needs to acquire a client certificate and thereafter to renew the certificate when DT is revoked. A client certificate is specific to the device 12 and may be used with multiple apps 38.
The above secret values are sent to the validation service 10-DV after encryption with AES128 using DT as key. The hash DTH is not included in the encryption but sent together with the encrypted message.
The encryption with DT together with Step 2 (below) is a way to ensure the authenticity of the device 12. This is because the DT is installed into the secure file system 48 by the OEM (handset) manufacturer (or on their behalf by the chipset manufacturer) and the secure file system 48 guarantees confidentiality.
A backup value of DT also needs to be stored in the secure file system 48 in order to renew the primary DT as explained below. The SSL client certificate(s) associated with a retired DT also need to be renewed.
All further client communication to the app's service backend 10-AB are via the mutually-authenticated SSL using the client certificate. The service backend 10-AB can verify the signature using the DRM system public key DPuK.
Rights objects are sent over an SSL connection and stored encrypted in the secure file system 48 (e.g., using AES encryption or public-key encryption, in which case the client's public key is stored with the encrypted rights objects). Media keys are stored in the secure file system 48 and provided to the media player in the secure environment 30. Media playback is via a hardware-based decrypt and decode mechanism.
The DT stored in the secure file system 48 may need to be renewed in the event of a security incident. This is achieved by using a revocation procedure where the old DT is renewed with a new one sent down to the device 12 after establishment of trust. In step 2 of the Device Authentication, the old DT is no longer accepted by the backend 10-DV and an error is returned with a condition that rejects the old DT. In this event, the secure DRM client 50 retries with the backup DT. After the successful acceptance of the backup DT, trust is established and a new DT is transmitted encrypted with the backup DT using AES-128. This new DT is then installed as the primary DT.
After the DT is renewed, all old client certificates issued based on this must be renewed. This is achieved by forcing a new device registration. The process may be controlled so that not all clients are forced to renew at the same time.
While various embodiments of the invention have been particularly shown and described, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Ma, Kevin J., Nair, Raj, Mikhailov, Mikhail
Patent | Priority | Assignee | Title |
10511587, | Jun 11 2015 | Siemens Aktiengesellschaft | Authorization apparatus and method for an authorized issuing of an authentication token for a device |
11184353, | Jun 07 2015 | Apple Inc. | Trusted status transfer between associated devices |
11463267, | Sep 08 2016 | NEC Corporation | Network function virtualization system and verifying method |
Patent | Priority | Assignee | Title |
20080082828, | |||
20080126248, | |||
20090217036, | |||
20100306548, | |||
20120096560, | |||
20120303951, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 22 2014 | Ericsson AB | (assignment on the face of the patent) | / | |||
Jan 15 2015 | MA, KEVIN | Ericsson AB | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 037620 | /0544 | |
Jan 15 2015 | MIKHAILOV, MIKHAIL | Ericsson AB | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 037620 | /0544 | |
Jan 15 2015 | NAIR, RAJ | Ericsson AB | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 037620 | /0544 |
Date | Maintenance Fee Events |
Sep 09 2019 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Sep 08 2023 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Date | Maintenance Schedule |
Mar 08 2019 | 4 years fee payment window open |
Sep 08 2019 | 6 months grace period start (w surcharge) |
Mar 08 2020 | patent expiry (for year 4) |
Mar 08 2022 | 2 years to revive unintentionally abandoned end. (for year 4) |
Mar 08 2023 | 8 years fee payment window open |
Sep 08 2023 | 6 months grace period start (w surcharge) |
Mar 08 2024 | patent expiry (for year 8) |
Mar 08 2026 | 2 years to revive unintentionally abandoned end. (for year 8) |
Mar 08 2027 | 12 years fee payment window open |
Sep 08 2027 | 6 months grace period start (w surcharge) |
Mar 08 2028 | patent expiry (for year 12) |
Mar 08 2030 | 2 years to revive unintentionally abandoned end. (for year 12) |